Was the file downloaded?
If you’re ever tracking down where a suspicious came from, it can be hard to determine if it was downloaded off of the “dirty” internet, or if someone actually created the file locally on the machine. Well if you know how to check the file’s alternative data stream, it actually becomes pretty easy to determine if it was in fact downloaded. You don’t know what the alternate data stream is, or how to check? We can fix that.
First a little background. The “Zone Identifier Alternate Data Stream” is often referred to as the Mark-of-the-Web (MOTW). The MOTW was actually a security feature first introduced by Internet Explorer for determining how to run saved HTML webpages. It has since grown to become implemented into many other file types. Whenever a file is downloaded, your browser implements MOTW by utilizing a feature of the NTFS file system called the alternate data stream (ADS) to associate a data stream to that file. The browser creates an ADS called “Zone.Identifier” and then adds the ZoneId to the stream to specify where the file came from. The ADS will be <file>:Zone.Identifier.
The ZoneId can have the following values:
- 0. Local Computer
- 1. Local Intranet
- 2. Trusted Sites
- 3. Internet
- 4. Restricted Sites
Enough of the background… Let us get back to the hands-on part.
To check the files’ ADS & ZoneId from a command prompt, use the following syntax. The “file” we’re going to be checking is named: file.ext
notepad file.ext:Zone.Identifier
Alternatively, to check the file with PowerShell, use either of the following cmdlets.
Get-Item .\file.ext -Stream *
Get-Content .\file.ext -Stream Zone.Identifier